Healthcare cybersecurity: A comprehensive guide for accredited general practices

Healthcare cybersecurity is now an urgent priority for accredited general practices as the sector faces escalating threats of data breaches and cyberattack. 

In the first half of 2024, healthcare reported the highest number of data breaches of any Australian industry, accounting for nearly one in five (19%) of all notifications to the Office of the Australian Information Commissioner (OAIC). 

In this guide, we outline the biggest cybersecurity threats to accredited general practices and share healthcare cybersecurity tips to help protect your practice.

What are the data privacy obligations for accredited general practices?

Under the Privacy Act 1988(Cth) and the Australian Privacy Principles (APPs), anyone who collects, deals with or discloses personal information must comply with data privacy obligations. 

Organisations must meet the 13 APPs, along with any additional obligations under state or territory privacy laws. 

Breaches of the APPs can result in substantial penalties – up to $2.5 million for individuals and potentially over $50 million for companies. 

You can read Avant’s easy-to-read guide for an overview of your obligations under the APPs. 

Top 3 healthcare cybersecurity threats to accredited general practices

In the first half of 2024, 67% of all data breaches reported to the OAIC were caused by cybersecurity incidents. The top threats included: 

  1. Phishing (31% of all cybersecurity incidents): Cybercriminals trick individuals into revealing sensitive information, such as passwords or credit card numbers, via fraudulent emails or messages. 
     
  2. Ransomware (24%): Malicious software locks or encrypts data, and attackers demand payment to restore access. 
     
  3. Compromised or stolen credentials (24%): Hackers gain unauthorised access by stealing login credentials, often due to weak passwords or unsecure storage. 

Ex-healthcare employee exposes sensitive data of 20,000 individuals 

Healthcare organisations and accredited general practices are increasingly targeted by cybercriminals due to the high value of personal and health information they store. 

A significant example highlighted in the OAIC’s 2024 report involved a healthcare provider where a former employee accessed and disclosed sensitive data of over 20,000 individuals over two years.  

The former employee exploited their unauthorised access to share information with an external party for financial gain, using both work-issued devices and personal accounts. 

In response, the provider implemented new monitoring systems to flag high-volume record access, large data copying and file uploads to external sites. 

Are there cybersecurity obligations for accredited general practices?

In November 2024, the Cyber Security Act 2024 (Cth) became law. The law will take effect upon receiving royal assent. 

One of the key obligations it will introduce is mandatory reporting of cyber extortion incidents for organisations that have over $3 million in annual revenue or are responsible for critical infrastructure assets.  

If they make a ransomware payment, these organisations must report it to the Australian Signals Directorate within 72 hours. 

The legislation will also require manufacturers and suppliers to adhere to minimum cyber security standards for smart devices, along with other measures.  

How to help protect your accredited general practice

Healthcare cybersecurity requires all practice team members to be vigilant of potential threats. Here are some essential tips to help safeguard against common threats: 

Preventing phishing attacks 

  • Train staff to identify phishing emails, such as those with suspicious links or urgent requests for sensitive information. 
  • Avoid clicking on links or downloading attachments from unknown sources. 
  • Use email filtering tools to block suspicious messages. 

Protecting against ransomware 

  • Regularly back up critical data, test backups and ensure they’re stored securely offline. 
  • Keep all software and security systems updated to patch vulnerabilities. 
  • If affected by ransomware, do not pay the ransom. Contact the Australian Cyber Security Centre’s 24/7 hotline at 1300 CYBER1 (1300 292 371) for support. 

Securing against compromised or stolen credentials 

  • Implement strong passwords and update them regularly. 
  • Enable multi-factor authentication (MFA) to add an extra layer of security. 
  • Restrict system access to authorised personnel only. 

Even with the right protections in place cyberattacks remain a possibility. That’s why some practices are turning to cyber insurance for added protection. 

You can learn about Avant’s cyber insurance, which is offered as complimentary cover to eligible practices as part of our practice medical indemnity policy. 

Or for more practical cybersecurity tips you can read our checklist for improving healthcare cybersecurity and our guide to responding to a cyber incident

Preventing data breaches caused by human error

Human error accounted for 30% of data breaches reported to the OAIC in the first half of 2024. The most common errors included: 

  1. Sending personal information to the wrong recipient (38% all human error incidents).
  2. Unintentionally releasing data publicly (24%).
  3. Failing to use BCC in emails and thereby exposing email addresses (10%).

Examples: Why minimising human error is crucial

The importance of reducing human error is highlighted by these real-world examples reported to the OAIC: 

1. Sensitive information sent to the wrong recipient 

In 2022, a Victorian general practice was ordered to pay $16,400 in fines after an email containing highly sensitive patient information, including HIV status, was mistakenly sent to an incorrect recipient. 

Following this costly error, the practice implemented stricter email verification processes and mandatory staff training on secure communication practices. 

2. Unsecured cloud storage breach 

In 2024, a healthcare provider inadvertently exposed sensitive health referral documents when an employee changed cloud storage security settings during an upload. The breach was discovered when the documents became publicly accessible. 

In response, the organisation restricted access permissions, implemented automated alerts for policy violations and introduced mandatory cybersecurity training for all staff. 

How to help safeguard against human error breaches

  • Develop and enforce policies on secure email practices. 
  • Obtain and document patient consent before using email to communicate sensitive information. 
  • Limit access to systems to select staff members. 
  • Use encryption or password protection for email communications and provide passwords via secure channels. 
  • Verify email addresses before sending and regularly confirm patient contact details in your system. 

For more practical guidance, you can read our guide on how to help prevent data breaches

How PracticeHub can help strengthen healthcare cybersecurity

Using a digital solution like PracticeHub can help simplify cybersecurity and data privacy compliance for your accredited general practice. Here’s how: 

1. Pre-written policies and procedures 

PracticeHub offers expertly written, customisable templates to help support robust cybersecurity measures, including: 

  • A privacy and confidentiality policy covering how information is shared and accessed.
  • A system security policy detailing confidentiality measures, firewalls, remote access and data backups.
  • A My Health Record policy outlining secure usage and access protocols.
  • An email use policy addressing patient consent, email verification, password protection and encryption. 

2. Centralised, sharable registers for enhanced visibility 

PracticeHub’s equipment and contract registers help you track IT assets and manage agreements with software providers, antivirus services and IT support. 

You can also create your own registers with PracticeHub’s Custom Registers module. For example: 

  • A Clinical Software Access Register to monitor who has access to specific platforms and when it was granted.
  • An IT Device Loan Register to track the location and use of your devices. 

You can easily upload documents, set reminders for key dates and share registers with select team members. 

3. Privacy and confidentiality online training 

As one of eight e-learning courses in the platform, PracticeHub offers a course on privacy and confidentiality that covers privacy legislation, APP requirements and IT security. 

It’s easy to assign this training to your team and monitor their progress with instant alerts.  

Meanwhile, a final quiz assists in identifying knowledge gaps so you can set up further training if necessary. 

Want to learn more about PracticeHub?

While PracticeHub can help improve healthcare cybersecurity, its benefits extend far beyond.   

Specifically designed for accredited general practices, it helps reduce admin by centralising all your tasks, documents, registers, incident management and more in one intuitive platform.  

Book a 30-minute demo today to see how PracticeHub can help transform your practice’s efficiency and support your team. 

Career stage
Topic

Other resources

  1. Why public liability cover is valuable for doctors - Avant

    Why public liability cover is important for doctors

  2. 6 practical tips for hiring staff at your accredited general practice - Avant

    6 practical tips for hiring staff at your accredited general practice

  3. AI scribes in practice: common errors to consider - Avant

    AI scribes in practice: common errors to consider

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Disclaimers

Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant and Avant Practice Solutions are not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2024. 

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.